Digital Forensics Tips&Tricks: Enhanced Command-line Auditing

Let's imagine a situation when cyber-attacker executes some commands remotely on the infected workstation using command line interface (cmd.exe) or using a special USB-device like Teensy or Rubber Ducky

How can we see these commands during digital forensics process?
In this test case I've used a typical USB-Rubber Ducky device with payload which is being executed starts a command line console (cmd.exe) and then uses xcopy.exe to copy some data to hard drive. After this I made a RAM dump and tried to find these commands with volatility script. And there are no commands typed with fake keyboard (Rubber Ducky) were found.

Another way you can take — if some console utility was started and you see .pf files related in \Windows\Prefetch folder you can check a memory dump with winhex or another tool to find some instances of this commands inside memory.

But you obviously need a special skills to make this research and also it can take some time depending of your skills level.

So, if a cyber-attacker uses a kind of Rubber Ducky device or types commands remotely in cmd, it's really hard to find whole text of these commands during incident investigation.

What can we do to be ready for similar situations and to make a corporate IT infrastructure well-prepared for fast digital forensics envestigation?

If your IT infrastructure is built on AD DS and Windows Server 2012 R2 / Windows 8.1 OS, you can configure Enhanced Command-line Auditing via Group Policies.

There is a special event ID 4688 in the Windows Security Events, but without additional configuration it includes just scant information about processes and not includes any helpful information about commands typed and executed in command console.

All we need to do is to enable two options in Group Policy object using gpmc.msc on Domain Controller:

This is really too much good and supportive article and want to give thanks for the best supports to all readers get help in windows 10 Now you must try on this options which is associated with the online technical help.